[GTALUG] SSL Certs for both web and email servers

Tue Dec 1 06:37:26 EST 2020

On Tue, 1 Dec 2020 03:34:06 -0500
John Sellens via talk <talk at gtalug.org> wrote:
> On Tue, 2020/12/01 08:16:49AM +0200, ac via talk <talk at gtalug.org>
> wrote: | > I have three domains and a small but invariant number of
> subdomains | > that I want to encrypt - should I try to pull them all
> under one SSL | > cert, or do one for each domain, or one for every
> subdomain?  I don't | > need a wildcard, but I would like something
> relatively painless if | > possible.
> | 
> | yes, in your case, and for painless and easy, just use the domain
> name | and one cert. so, instead of mail.example.com and
> www.example.com | - just use example.com. 
> 
> I think that might cause client complaints in some cases.
> 
imho i do not think with three domains this will be an issue.

what is the point of having mail.example.com if the IP number for
mail.example.com is the same as example.com ? the same can be asked
about imap.example.com and pop.example.com etc.

This is just wasteful and increases the risk of issues, ads complexity
and does not serve any "real" technical, logical or functional purpose.

The reason why mail.example.com used to be prevalent - pre container -
was because mail.example.com - was at a different IP number / different network
even...

And, actually even if you had 100 domains on one server: reducing
complexity, reducing the amount of DNS lookups and reducing pebcac,
reducing comms, reducing traffic, reducing load and reducing wastage -
means:

You are making it easier for clients

And : You are even saving cycles, saving electricity, saving network
traffic and TOOOTEROOO:

Saving the planet

in case you did not know: In 2020 - 2030 - we will still get the vast
majority of our power from non sustainable fossil sources. so, we
should all try to be less wasteful, mind you, now with Alaska being
strip mined and auction sold, the planet has a lot more to waste. 

> I think letsencrypt now provides wildcard certifications, but you
> can use mutliple -d options when creating or updating a certificate
> e.g.
> 
>   certbot certonly \
>     --non-interactive \
>     --expand \
>     --webroot \
>     -w /var/www/html/letsencrypt \
>     --cert-name www.example.com \
>     -d example.com \
>     -d mail.example.com \
>     -d blog.example.com
> And then the one certificate is valid for all those names.
> 
a small number of invariant sub domains usually means
www.example.com, pop.example.com, mail.example.com, 
imap.example.com and in this case - x3 domains

but, one could also wildcard (*) just simply -d *.example.com and add
_acme-challenge TXT record to example.com dns zone 
(auth: preferred-challenges=dns - when you apply for cert) 

depending on your resources and very importantly, your dns servers
timeouts, rate_limits and other issues, there could be pain/risk with
multiple/many -d every 90 days 

> Hope that helps - letsencrypt is really remarkably convenient.
> 
indeed it is.

> John
> ---
> Post to this mailing list talk at gtalug.org
> Unsubscribe from this mailing list
> https://gtalug.org/mailman/listinfo/talk